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generate polynomial time decidable inference relations. The procedure can 
automatically recognize the tractability of the inference rules underlying con- 
gruence closure. The recognition of tractability for that particular rule set 
constitutes mechanical verification of a theorem originally proved indepen- 
dently by Kozen and Shostak. The procedure is algorithmic, rather than 
heuristic, and the class of automatically recognizable tractable rule sets can 
be precisely characterized. A series of examples of rule sets whose tractability 
is non-trivial, yet machine recognizable, is also given. The technical frame- 
work developed here is viewed as a first step toward a general theory of 
tractable inference relations. 
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1 Introduction 



Decidable inference relations have been studied from a variety of different 
directions and have been applied in a variety of ways. The well-known con- 
gruence closure algorithm is fundamentally a decision procedure for the in- 
ference relation defined by the inference rules for equality, including the rule 
for the substitution of equals for equals [Kozen, 1977], [Downey et al, 1980], 
[Nelson and Oppen, 1980]. Congruence closure has applications in, among 
other things, compilation and program verification [Downey et al., 1980], 
[Nelson and Oppen, 1979]. Other decidable relations have played a role in 
various automated inference and program verification systems [Nelson and 
Oppen, 1980], [Constable and Eichenlaub, 1982], [Shostak, 1984]. Decid- 
able inference relations also play a central role in strongly typed computer 
programming languages [Milner, 1978] where the types of program expres- 
sions are defined by inference rules for deriving types. In most practical type 
systems the inference rules for deriving types yield a decidable relation. 

In light of the attention that has already been given to particular decid- 
able inference relations, a general theory of decidable relations would seem to 
have wide applications. This paper investigates a certain class of polynomial- 
time decidable inference relations called local relations. Locality is an easily 
defined property of a set of inference rules which guarantees that the inference 
relation generated by those rules is polynomial time decidable. Although lo- 
cality is easily defined, determining whether a given set of inference rules is 
local can be difficult — it is not currently known whether locality itself is 
decidable. However, it is possible to construct a procedure for automatically 
recognizing a certain subclass of local relations. 

The best known example of a local rule set is the set of rules for equality 
that underlies the congruence closure procedure. The method given here 
for automatically recognizing certain local rule sets can be used to machine 
verify a theorem given in [Kozen, 1977], [Shostack, 1978], and [Nelson and 
Oppen, 1980] concerning the equality rule set. Additional examples of local 
rule sets are given below which support the conjecture that non-trivial local 
rule sets are quite common. 

The technical notion of locality presented in this paper underlies a general 



approach to the construction of semi-automated verification systems for ar- 
bitrary first order reasoning. Consider a sound and complete set of inference 
rules for first order logic. These rules can be separated into local and in- 
tractable rules. The local rule set defines a notion of an "obvious" inference. 
A "high-level proof" is a proof in which the individual steps are obvious in 
this sense. The amount of detail that must be explicitly given in high-level 
proofs is determined by the power of the local rule set — powerful local rules 
yield more concise high-level proofs. Clearly, one would like the local rule 
set to be as powerful as possible. 

Powerful local rule sets can be constructed using non-standard syntax. 
There are many different languages, with non-standard syntax and semantics, 
that are all expressively equivalent to first order predicate calculus. Each 
such language can be associated with sound and complete inference rules — 
phrased in the syntax of that particular language — and these rules can be 
separated into local and intractable rules. The power of the resulting local 
rule set is sensitive the original choice of syntax and semantics. It seems that 
syntactic features of natural languages such as English are particularly useful 
in constructing powerful local rule sets. The fact that certain syntactic and 
semantic constructions yield powerful local rule sets suggests a functional 
explanation for the existence of those constructions in human language. An 
example of a local natural language rule set is given in section 7. The general 
approach to the use of locality in constructing high-level proof systems is 
discussed in section 8. 

Hopefully, the notion of locality described in this paper is a first step 
toward a more general understanding of tractable rule sets. Several open 
technical problems, and several directions for further research, are discussed 
at the end of the paper. A better understanding of tractable inference rela- 
tions will hopefully result in an improved technology for the construction of 
semi-automated verification systems, and a deeper understanding of inference 
in general. 



2 Preliminary Definitions 

This paper presents a general procedure for recognizing certain cases in which 
a set of inference rules generates a computationally tractable inference rela- 
tion. The first step in constructing such a procedure is to precisely define 
the notion of an "inference rule". Figure 1 gives basic inference rules for the 
Boolean connectives -i and V. In these rules a question mark in front of a 
symbol indicates a variable that can be replaced by different expressions in 
different applications of the rule. Variables in inference rules will be called 
metavariables to distinguish them from variables of the underlying language. 

Throughout the remainder of this paper we let B (for Boolean) denote 
the set of inference rules given in figure 1. All Boolean expressions can be 
written in terms of the two universal connectives -> and V. The rule set B 
expresses some, but not all, of the inferential properties of these connectives. 
The rule set B can be viewed as a (somewhat obscure) characterization of 
unit resolution, or as a specification of the Boolean constraint propagation 
mechanism described in [McAUester, 1989]. The inference relation generated 
by these rules is linear time decidable. Yet, if the above inference rules are 
augmented by a simple case analysis sequent rule then the rules become 
complete for Boolean inference. 

As another example of a set of inference rules, consider the following rules 
for equality. 
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Figure 1: A tractable set of Boolean inference rules 

The rules 13, 14, and 15 express the symmetry, reflexivity, and transitivity 
properties of equality respectively, while rule 16 expresses the substitutivity 
of equals for equals. It is well known that congruence closure provides a 
polynomial time decision procedure for the inference relation generated by 
these equality rules. The precise notion of inference rule developed here is 
not general enough to allow for the notation ". . ." used in rule 16. Fortu- 
nately, however, any inference problem involving function symbols of more 
than two arguments can be converted to an equivalent problem involving 
function symbols of at most two arguments. For example, a function / of 
three arguments can be replaced by two functions pair and /' such that 



f(x, y, z) equals f'(x, pair(t/, z)). Without loss of generality, we can 
replace rule 16 by the following two rules. 



16a la = It 16b l Sl = lt r 
?s 2 = ?t 2 



If (Is) = If (It) 



?/(?«i, ?«*) = ?/(?*!, ?**) 



In the remainder of this paper we let E denote the rule set consisting of rules 
13, 14, 15, 16a and 16b. 

Different metavariables have different syntactic kinds. For example, the 
metavariables that appear in the Boolean rule set B range over formulas, 
while the rule set E has metavariables that range over terms and metavari- 
ables that range over function symbols. The phrases "formula", "term", and 
"monadic function" each refer to a particular syntactic kind. 

Definition: A syntactic kind is either a kind symbol or an ex- 
pression of the form <Ti x a? x . . . cr n — > r where r and each <Ji are 
syntactic kinds. 

Definition: A well formed expressionis either a constant symbol 
or metavariable of a given syntactic kind, or an application of 
the form f(si . ..s n ) where / is a well formed expression of kind 
<Ti x . . . a n — ► r and each Sj is a well formed expression of kind 
er,-. In the latter case the expression f(s\ . . . s n ) is a well-formed 
expression of kind r. 

In first order predicate calculus, an ordinary constant symbol is just a 
constant of kind term; a proposition symbol is a constant of kind formula; a 
function symbol of is a constant of kind term x . . . term — » term; and a pred- 
icate symbol is a constant of kind term x . . . term — ► formula. The Boolean 
connectives -« and V are constants of kind formula — ► formula and formula 
x formula — ► formula respectively. Quantifier-free predicate calculus is the 
language generated by a set of constants of type term, a set of constants of 
type formula, a set of function symbols, a set of predicate symbols (including 



equality) and the Boolean connectives. A well formed expression o(e 1? . . . e n ) 
will sometimes be written as (o ei...e n ) (Lisp notation), and occasionally 
as ei o e 2 (infix notation). 

The above definitions do not allow for quantified expressions. This paper 
only discusses inference rules that do not involve quantification. Even with- 
out quantifiers, a set of rules can still generate an undecidable or intractable 
inference relation. On the other hand, the presence of quantifiers does not 
necessarily prevent tractability. Tractable inference relations involving quan- 
tification are discussed in [McAllester, 1989] and [McAUester et a/., 1989]. A 
more general notion of locality will be needed to construct a procedure for 
automatically recognizing tractability in rule sets that involve quantification. 

Definition: A well formed expression of kind formula will be 
called a formula. 

Definition: An inference rule is an object of the form 



6 
where W x . . . * n and are all formulas. 

Definition: A metavariable substitution is a mapping p from 
metavariables to expressions such that, for any metavariable ?x, 
we have that p(lx) is a well formed expression of the same kind 
as ?x. 

Definition: For any metavariable substitution p, and any well 
formed expression s, we define p(s) to be the result of replacing 
each metavariable in s by its image under p. For any set of 
expressions T, we define p(T) to be the set {p(s) : s € T}. 

Observation: For any metavariable substitution p, and any well 
formed expression s, p(s) is a well formed expression with the 
same syntactic kind as s. 

Definition: A formula $ is one-step derivable from a set of for- 
mulas E under inference rules R if there exists an inference rule 
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in R, and a metavariable substitution p, such that p(^i), . . . p(^ n ) 
are all members of E and p(Q) equals <&. 

Definition: A derivation of $ from E is a sequence of formulas 
^i , \I>2 > • • • ^n such that each tf,- is either a member of E, or is one- 
step derivable under R from previous elements of the sequence, 
and ^ n is the formula $. If there exists a derivation of $ from E 
under rule set R then we write E Hr $. 

Note that \-r is the relation generated by R in the standard way. 



3 Local Rule Sets 

We are interested in finding general properties of a rule set R that guarantee 
that the corresponding inference relation \-r is polynomial time decidable. 
One way of doing this is to consider a "restricted" relation h r that is ex- 
plicitly constructed to be polynomial time decidable. This can be done using 
the following terminology. 

Definition: A formula \I> will be called a label formula of a set 
or expressions f2 if every proper subexpression of ^ is a member 

of n. 

Definition: For any set of formulas T and rule set R we define 
0,(R, T) to be the set of all proper subexpressions of formulas in 
T plus all closed (variable-free) proper subexpressions of formulas 
inR. 

Note that, for any finite rule set R and finite formula set V, the set £l(R, V) 
is finite. However, any formula constant or formula metavariable is a label 
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formula of any expression set. This implies that any expression set has 
an infinite set of label formulas. In spite of the infinity of label formulas, 
however, restricting the inference process to label formulas of a small finite 
set yields a tractable inference relation. 

Definition: We write E h r $ if there exists some derivation 
\Pi, ^ 2 5 • • • ^n of $ from E under rule set R such that each #,• is 
a label formula of tl(R, E U {$}). 

Tractability Lemma: For any finite rule set R, the relation h r 
is polynomial time decidable. 

Definition: A set of rules R will be called local if the relation 
H r is the same as the relation I-r. 

The tractability lemma implies that the inference relation generated by 
a local rule set is polynomial time decidable. The proof of a refined version 
of the tractability lemma is given in the following section. It is instructive, 
however, to consider the equality rule set E. Consider the problem of deter- 
mining whether or not E H # $ where $ and each formula in E are equations 
between first order terms. The expression set Q(E, E U {$}) consists of the 
equality symbol plus all first order terms that appear in E and $. If s and 
t are terms in £l(E, E U {$}) then the equation s = t is a label formula 
of fi(£,SU {$}). Let n be the total size of E U {$}. There are order n 2 
equations that are label formulas of Q,(E,H U {$}). This implies that one 
can enumerate, in polynomial time, all label formulas of Q(E, E U {$}) that 
can be derived from E using derivations restricted to label formulas. 

The definition of locality does not provide any obvious way of determining 
if a given rule set is local. Locality of the equality inference rules was orig- 
inally proved (using different terminology) independently by Kozen [Kozen, 
1977] and Shostak [Shostack, 1978]. Kozen uses a syntactic argument to 
show that if E \~e $, then E H E $. The proof is essentially an induction 
on the length of the derivation used to establish E \~e $• Shostak's proof of 
the locality of E is semantic. Shostak observes that the relation h ^ is clearly 
sound under the standard semantics for equality. Furthermore, if E \/ E $, 
then one can construct a model of E in which $ is false. In other words, the 



relation h # is semantically complete. Since \~e is sound, and \-& is at least as 
strong as H #, the semantic completeness of H e implies that H ^ is the same 
as \~e> A semantic proof using a simpler model construction was later given 
by Nelson and Oppen [Nelson and Oppen, 1980]. Semantic proofs of locality 
of other rule sets can be found in [McAllester et a/., 1989] and [McAllester 
and Givan, 1989]. 

Semantic proofs of locality are more compact in many cases than syn- 
tactic proofs of the same results. However, it seems difficult to generalize 
semantic proof techniques to the point where they can be used to mechani- 
cally recognize a wide class of local rule sets. However, section 6 shows that 
syntactic techniques for proving locality can be used as the foundation for a 
general locality recognition procedure. 



4 The Tractability Lemma 

The tractability lemma states that for any finite rule set R, the relation H r is 
polynomial time decidable. The statement of the tractability lemma can be 
refined to give a useful upper bound on the order of the polynomial involved. 
This refinement requires some additional terminology. 

Definition: An inference rule r will be said to have order k 
if there exist expressions ei . . . e&, such that each e,- is either a 
metavariable or a proper subexpression of some formula in the 
rule r, and such that every metavariable that appears in r also 
appears in some e,-. 

For example, the rule 



16b ? Sl = ?*! 

?s 2 = ?*2 



?/Y? 



/(?*!, s 2 ) = ?/(?<!, ?t 2 ), 



10 



has order two because the two expressions ?/(?si, ?s 2 ) an d ?/(?*i> 1t 2 ) 
satisfy the requirements of the above conditions. Note that the rule does 
not have order one because the equation ?/(?si, s 2 ) = ?/(?<i, Iti) is not a 
proper subexpression of a formula in the rule. Similarly, the rule 



1?^ 



■.(?* V ?*) 



has order one, while the rule 



3 ?<5 



?* V?$ 



has order two. 



Refined Tractability Lemma: For a fixed finite rule set R, it 
is possible to determine whether £ h r $ in order n k time where 
n is the total size of £ and $ and all rules in R have order & or 
less. 



Proof: For the purposes of this proof, a rule set R will be called normal if, for 
every rule r in R, every metavariable in r appears as a proper subexpression 
of some formula in r. We first reduce the problem of determining whether 
£ H r $ to the the problem of determining whether £ H r $ in the case 
where R is normal. If E is empty, and no inference rule in R has an empty 
set of antecedents, then £ \/ R $. Thus we can assume without loss of 
generality that either E is non-empty or some rule in R has no antecedents. 
Consider a rule r and a metavariable ?\I> that appears in r but does not 
appear as a proper subexpression of any formula in r. The only place ?^ can 
appear in r is as an antecedent or conclusion. If ?\I> is both an antecedent 
and a conclusion, then r can be removed from the rule set without affecting 
the relation H R . If ?\J/ is an antecedent but not a conclusion, then the above 
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comments about £ and R imply that the rule r can be replaced by the rule 
r' in which the antecedent ?\P has been removed. If ?* is the conclusion of 
r, but is not an antecedent of r, then we replace r by the rule r' derived from 
r be replacing the conclusion ?\P with a new formula constant F. Let R' be 
the rule set derived from R by making all such removals and replacements. 
We now have that £ H R $ just in case £ h & $ or £ H R < F. Furthermore, 
R' is a normal rule set and all rules in R' have order k or less. 

Now, without loss of generality, we can assume that R is a normal rule set. 
Let T be the set Q(R, E U {$}). For a fixed rule set i?, the set T has order 
n elements. We have that S Hr $ just in case there exists a derivation 
\]>i, \I>2 . . . \t n of $ from £ under R such that each ^,- is a label formula of 
T. Let t be an inference rule in R. For any metavariable substitution p we 
let p(r) be the rule derived from p by replacing each metavariable in r by its 
image under p. Since R is normal, we need only consider those instances p(r) 
where p maps every metavariable in r to a member of T. Let e\ . . . ej be a set 
of expressions that satisfy the conditions of the definition of r being order j. 
Each e,- is either a metavariable or a proper subexpression of some formula 
in r. This implies that we need only consider those instances p(r) where p 
is a substitution such that p{e\) . . . p(ej) are all members of T. Since every 
metavariable in r appears in some e,-, the set of all such instances p(r) can be 
computed by matching the expressions t\ . . . ej against elements of T. For 
a fixed rule r (independent of the size n), the set of all possible matches of 
e x . . . ej to elements of T can be computed in order n J time. The restriction 
that each p(e,-) be an element of T does not guarantee that the conclusion 
and antecedents of p(r) are label formulas of T. Let I{r) be the set of all 
such instances p(r) such that the conclusion and all the antecedents of p(r) 
are label formulas of T. The set I{r) can be computed in order n J time. Let 
I(R) be the union of the sets I(r) for rules r in R. The set I(R) can be 
computed in order n k time. We now have that E H r $ just in case $ can 
be derived from E under the rules I(R) by purely propositional reasoning 
(we need not consider further substitution into the rules in I(R)). This is 
equivalent to determining if a given proposition symbol can be derived from 
a set of proposition symbols using a set of propositional Horn clauses. The 
existence of such a derivation can be determined in time proportional to 
the total size of the set of propositional Horn clauses. Since I(R) can be 
computed in order n k time, its total size is order n k . 



12 



5 Syntactic Proofs of Locality 

For any finite rule set R, the relation h R is polynomial time decidable. The 
rule set R is local if the relation h ^ is the same as the relation h r. A 
general syntactic approach to proving locality for particular rule sets can be 
constructed using the following definitions. 

Definition: A set of expressions T will be called subexpression 
closed if every subexpression of every member of T is also a mem- 
ber of T. 

Definition: Let R be a rule set, E a formula set, and let T be 
an expression set that is subexpression closed and that contains 
£l(R, E) as a subset. The set Ch(E, T) is defined to be the set of 
formulas ^ such that there exists a derivation of \P from E such 
that every formula appearing in that derivation is a label formula 
of T. 

Observation: E h H $ if and only if $ <E C fl (E,S7(#,EU {$})). 

Definition: We say that the set Cr(E, T) is universal if Cr(E, T) 
contains all label formulas of T. 

Lemma: Let R be a fixed rule set such that all rules in R have 
order k or less. Let E be a formula set, let T be a subexpression 
closed set containing fi(i2, E) and let n be the number of expres- 
sions in T. One can determine whether Cr(E, T) is universal in 
order n k time. If Cr(E, T) is not universal, it is finite and can be 
enumerated in order n k time. 

The proof of the above lemma is similar to the proof of the refined 
tractability lemma and is not given here. It is possible to characterize locality 
in terms of the closure operator Cr rather than the inference relation H r. 
To do this we need some additional terminology. 

Definition: A one step extension of a subexpression closed set 
T is an expression a that is not a member of T but such that 
every proper subexpression of a is a member of T. 
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Definition: An extension event for a rule set R is a four-tuple 
<a, \&, E, T> such that T is subexpression closed and contains 
£l(R, E), a is a one step extension of T, and ^ is a member of 
C R (S,TU{a}). 

The letters £, Si, £2, etc. are used below to denote extension events. 
Consider an extension event <a, \I>,E,T>. Note that the formula \& may be 
"old" in the sense that * may be a member of Cr(E,T). Alternatively, \I> 
may be "new" in the sense that ^ is a member of Cr(E, T U {a}) but not 
a member of Cr(E, Y). The lemma given below states that a rule set R is 
local if and only if it is impossible for a new formula to be a label formula of 
the old set T. 

Definition: A feedback event for a rule set R is an extension 
event <a, \P, E, T> for R where $ is a label formula of T but not 
a member of Cr(E, T). 

Lemma: A rule set R is local if and only if there are no feedback 
events for R. 

Proof: First, suppose there exists a feedback event S for R 
with components <a, \I>,E,Y>. The fact that $ is a member 
of C R (E,T U {a}) implies that E \- R tf. The fact that S is 
a feedback event implies that W is a label formula of T but not 
a member of C/j(E, T). The fact that ^ is a label formula of T 
implies that T contains Cl(R, EUtf). So # must not be a member 
of Cfl(E, £l(R, E U {*})) and soS^ fi $. Thus \- R and H R are 
different and R is not local. 

The above argument shows that if R is local then there can 
be no feedback events for R. We will now show the converse — 
if there are no feedback for events for R then R is local. Suppose 
there are no feedback events for R. Now consider any E and 
$ such that E ty R $. To show that R is local it suffices to 
show that E \/ R $. To show E \/ R $ it suffices to show that 
for any finite subexpression closed set T containing £l(R, E U 
$) we have $ £ Cfl(E, T). By assumption we have that $ £ 
Cr(E,0(.R, E U {$})). Now let T be any subexpression closed 
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set containing £l(R, E U {$}) such that $ ^ Cr(H,, T). For any 
one-step extension a of T we have that $ is not a member of 
Cr(E, T U {cc}) — otherwise the tuple <a, $, E, T> would be a 
feedback event. By induction, this implies that $ is not a member 
of Cr(E, T) for any finite subexpression closed set T containing 
Sl(R, E U {$}) and thus E \/ R $. 

The above lemma reduces the problem of determining locality to the prob- 
lem of determining the existence of feedback events. The locality recognition 
procedure is based on a general method of proving the non-existence of feed- 
back events. This general method is best introduced using a simple example. 
Consider the following rules expressing the monotonicity of an operator /. 



17 ?t C It 19 ?« C ?u 



18 ?r C Is /(?s) C /(?«) 



?rC It 



Let M (for monotonicity) be this set of three inference rules. 1 We wish 
to prove the non-existence of feedback events for M. Consider an extension 
event <a, \P, E, T> for rules M. Either tf is an "old" formula, i.e., a member 
of Ca/(E,T), or ^ is provable from old formulas using the above inference 
rules. It is possible to characterize all the ways of proving a new formula 
from old formulas using rules M. More specifically, for any extension event 
<a, \P, E, T> for M, one of the following four conditions must hold. 

• $ is an "old" formula, i.e., a member of Cm(E, T). 

• ^ is the formula a C a. 



1 The rule set M has applications in high-level proof systems for first order logic 
[McAUester et at., 1989]. An in-depth analysis of the computational complexity of the 
relation \~m is given in [Neal, 1989]. 
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• a is of the form f(s) and ^ is a formula of the form a C t where 
Ca/(£, T) contains the formulas s C u and f(u) C t . 

• a is of the form f(s) and ^ is a formula of the form t Q a where 
Cm (E, T) contains the formulas t C /(u) and uCs, 

If an extension event satisfies one of the above conditions then either \t is an 
old formula (the first condition) or ^ contains a as a proper subexpression 
(the last three conditions). Thus \P is either an old formula, or \P is not a 
label formula of T. So no event satisfying one of the above conditions can 
be a feedback event. The problem of proving the non-existence of feedback 
events for M has now been reduced to the problem of proving that every 
extension event for M satisfies one of the above four conditions. This can be 
be done using the following definitions. 

Let J? be a rule set, E a formula set, T a subexpression closed set 
containing J)(i?, £), and let a be a one step extension of T. 

Definition: The set C£°(E,T) is defined to be C*(E,T). The 
set C£ J+1 (£, T) is defined to be C^'(E, T) plus all label formu- 
las of T U {a} that can be derived from Cr J (E, T) via a single 
application of an inference rule in R. 

Note that 

CH(S,Tu{a})=[jWT). 
i>o 

Consider a fixed but arbitrary E, T and a. To show the non-existence of 
feedback events for M , it suffices to show that every formula # in Ca/(E, T U 
{a}) satisfies one of the above four conditions with respect to E, T, and a. 
The four conditions can be viewed as defining four different types of formulas 
in the set Ca/(E, T U {a}). To prove that every formula in CW(E, T U {a}) 
is of one of these four types, it suffices to prove, by induction on j, that 
every formula in C^(E, T) is of one of these four types. Every formula in 
0%} (E, T) is an old formula and so is a formula of the first type. Now assume 
that every formula in C^(£, T) is of one of the four given types. Under this 
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assumption one can prove that every formula ty in C^ J+1 (S, T) is of one of 
the given types. The induction step involves a case analysis on the proof rule 
used to derive an element of C^ +1 (E, T) and the types of formulas used as 
antecedents in the application of that rule. 

The method just described for proving locality for the rule set M can be 
generalized to a mechanical procedure for recognizing locality. 



6 The Locality Recognition Procedure 

The mechanical locality recognition procedure is not guaranteed to recognize 
of all local rule sets. However, it is possible to precisely characterize the 
class of rule sets whose locality is mechanically recognizable. This precise 
characterization involves some additional terminology. 



Definition: The rank of an extension event <a, ^ E, T> for a 
rule set R is the least natural number j such that ^ is an element 
of C£ J (E,T). 

Definition: For any natural number k and rule set R we say 
that R is k -bounded-local if R is local and all extension events for 
R have rank j or less. The rule set R is bounded-local whenever 
there exists some k such that R is fc-bounded-local. 



Note that if R is &-bounded-local then Cr(E, T U {a}) is always equal 
to C%' (E,T). It would seem that bounded-locality is an extremely strong 
condition on inference rules and that few rule sets would satisfy this condi- 
tion. However, all of the examples of local inference rules discussed above 
are bounded-local — the rule sets E and M are 2-bounded- local while B 
is 1-bounded local. Unfortunately, there are rule sets which are local but 
not bounded-local. Let i" consist of the reflexivity rule (17), transitivity rule 
(18), plus rules 20, 21, and 22 given below. The rule set I is local but not 
bounded-local (the proof is left as a non-trivial exercise for the reader). 
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20 n(?s,?t)C?s 22 ?wC?s 

IwCIt 

21 n(?«, ?t)c;?* 



?w c n(?s, ?t) 

Given that / is local (although not bounded-local), the refined tractability 
lemma implies that the generated inference relation is decidable in order n 3 
time (the transitivity rule has order 3). 

The following two theorems are the main results of this paper. 

First Locality Recognition Theorem: For any rule set R and 
bound k it is possible to determine whether or not R is ^-bounded 
local. 

Second Locality Recognition Theorem: There exists a pro- 
cedure which, given any rule set R, does the following. 

• If R is not local then the procedure terminates and outputs 
a feedback event for R. 

• If R is bounded-local then the procedure terminates and 
outputs the least k such that R is fc-bounded-local plus an 
enumeration of the possible "types" of extension events. 

• If R is local, but not bounded-local, then the procedure fails 
to terminate. 

Consider the proof of locality for the monotonicity rules described in the 
preceding section. The proof shows that every monotonicity extension event 
falls into one of four types and that no event of these types can be a feedback 
event. To mechanize this proof technique we need some way to formally 
represent event types. Consider the third monotonicity event type given in 
the preceding section: 

• a is of the form f(s) and \P is a formula of the form a C t where 
Ca/(E, T) contains the formulas s C u and f(u) C t . 
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The events of this type can be characterized by specifying the form of cc, 
the form of W, and certain formulas that must be in Cr{Y>, T). In general, 
we allow a formal specification of an event type to also include a specification 
of expressions that must be in T. A formal specification of an event type is a 
four- tuple <q / , \I>', E', T'> where a' and \P' are patterns giving the form of a 
and \P respectively; E' is a set of formulas that must be included in Cr(E, T); 
and T' is a set of expressions that must be included in T. The patterns a' 
and W are just expressions containing metavariables. The above type of 
monotonicity event can be characterized by the following formal four-tuple. 

• </(?*), /(?*)£?*, {?*C?u,/(?u)C?<}, {C,/,?«,?*,/(?u),?u}> 

The above four-tuple specifies the class of events in which a has the 
form /(?s), \t has the form a C It, and Cr(£,T) contains the formulas 
Is C ?« and /(?u) C It. Let «*', *', £', T'> be the above four-tuple. Note 
that T' has been constructed so that T' is a subexpression closed set con- 
taining Ci(R, £'), and a' is a one-step extension of T'. In fact, the tuple 
<a', \&', S', T'> satisfies all of the conditions given in the definition of an 
extension event — this tuple is itself an extension event. In general, an 
extension event containing metavariables defines an entire class of "instanti- 
ations" of that event. 



Definition: Let S be an extension event <a, ^, S, T> and let 8' 
be an event <o/, #', E', T'>. We say that S is an R-instance of 
the template £', or that the template £' R-covers the event 5, if 
there exists a metavariable substitution p satisfying the following 
conditions. 



• 



p(cx') = a 
/>(*') = * 

P (V) c T 



We say that a template set Ti i?-covers an event set T 2 if every 
member of T 2 is i?-covered by some member of T x . 
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I will often say "covers" or "instance" rather than "i?- covers" or U R- 
instance" respectively when the rule set is clear from context. I will use the 
term "event template", or just "template", rather than the term "event" to 
describe events that are being used as templates or schemas for a whole class 
of events. The following lemmas state useful properties of event templates. 

Let £ be <a, tf, £, T> and let £' be <a', tf ', E', T'> such that £ 
is an instance of £' by virtue of the metavariable substitution p. 

Lemma: The set p(C R (£', T')) is a subset of C R (£, T). 

Proof: Consider any formula in Cr(E>', T'). We must show 
that p(0) is a member of Cfl(£, T). Consider a derivation D of 
from £' such that all formulas in the derivation are label formulas 
of T'. Let p(D) be the derivation derived from D by replacing 
each expression in D by its image under the substitution p. p{D) 
is a derivation of p(Q) from p{T/). Furthermore, since p(T') is a 
subset of T, every formula in p(D) is a label formula of T. Since 
every element of />(£') is in Cft(£, T), we must have that p(Q) is 
also in Cr(E,T). 

Lemma: For each natural number j, the set p(C R "'(£', T')) is a 
subset of C£ J '(E,T). 

Proof: The proof is by induction on j. The previous lemma es- 
tablishes the result for j = 0. Now assume that the result holds 
for j and consider j + 1. Let be any formula in C£' ,i+1 (£', T'). 
We must show that p(B) is in C£' i+1 (E, T). is derivable, via a 
single inference rule, from some formulas $ x . . . $ n in Cr ' j (£', T'). 
By the induction hypothesis p($i) . . ./»($„) are in (^(EjT). 
But p(Q) is derivable from />($i) . . ■ p($ n ) and p(Q) is a label 
formula of T U {a}. Thus p(G) is in C^' +1 (E, T). 

Lemma: The rank of £ is less than or equal to the rank of £'. 

Proof: Let j be the rank of £'. The formula tf ' is in C£' J (£', T'). 
By the above lemma, p(q') must be in (^'(E, T). Since p(W) 
equals \I>, the event £ must have rank ,;' or less. 

Lemma: If £' is not a feedback event then £ is not a feedback 
event. 
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Proof: Since £' is not a feedback event the formula \?' is either 
a member of Cb(£', T') or is not a label formula of T'. In the 
first case, the above lemma implies that p(W), and hence W, is a 
member of Cr(E, T). Now suppose that \P is not a label formula 
of T. Since \&' is a label formula of T' U {a 1 } but not a label 
formula of T', the expression a' must be a proper subexpression 
of ty'. But this implies that p(a') is a proper subexpression of 
p(W) and thus a is a proper subexpression of W. This implies 
that ^ is not a label formula of T and thus £ is not a feedback 
event. 



The locality recognition procedure takes a bounded-local rule set R and 
automatically constructs a proof of the locality of R using the same technique 
as that used above in proving the locality of the rule set M. The proof of 
locality of M involved showing that every extension event for M is an instance 
of one of four specific templates. In order to construct an analogous proof for 
an arbitrary bounded-local rule set R, the procedure must generate a finite 
set of event templates, specific to the rule set R, and must show that this 
finite set of event templates covers all extension events for R. The recognition 
procedure uses a single process to both generate the event templates and to 
prove that the generated templates cover all events. This process starts with 
a set of "null" templates and generates new templates by iteratively passing 
existing templates through the inference rules. 



Definition: The null template of kind r is <?<*,?\I>, {?*},{}> 
where la is a metavariable of kind r. 

Observation: An extension event has rank if and only if it is 
an instance of some null template. 

Without loss of generality we can consider only the syntactic kinds used in 
the inference rules, so we we need only consider a finite set of null templates. 
The following lifting lemma states the existence of a procedure for passing 
templates through inference rules. 
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Lifting Lemma: Let R be a finite rule set and let T be a finite 
template set such that T covers all extension events for R of rank 
j or less. It is possible to compute a finite template set R(T) that 
covers all events of rank j + 1 or less. 

The proof of the lifting lemma, and a procedure for computing R(T), is given 
in the appendix. 

Definition: For any rule set R, define T (R) to be the set of null 
templates and define T j+1 (R) to be Tj(R) U R(Tj(R)). 2 

Observation: Tj(R) covers every extension event for R with 
rank j or less. 

Lemma: R is local if and only if there is no j such that Tj(R) 
contains a feedback event. 

Proof: Suppose there exists some feedback event for R. This 
event must have some finite rank j and must be covered by some 
element of Tj(R). Templates that are not feedback events can not 
cover feedback events, so Tj(R) must contain a feedback event. 

Lemma: R is j -bounded- local if and only if Tj(R) does not con- 
tain any feedback events, Tj(R) covers R(Tj(R)), and every mem- 
ber of Tj(R) has rank j or less. 3 

Proof: First suppose Tj(R) covers R(Tj(R)). Since covering is 
transitive, this implies that Tj(R) covers all events of rank j + 1 or 
less. But, by the same argument, this implies that Tj(R) covers 
all events of rank j + 2 or less. In fact, Tj(R) covers all events. 
If, in addition, Tj(R) does not contain any feedback events, then 
there can be no feedback events for R and R must be local. If all 
templates in Tj(R) have rank j or less then, since no template can 
cover an event of greater rank, all extension events for R must 
have rank j or less. 



2 A "more efficient" definition states that T j+ i(R) equals Tj(R) plus those elements of 
R(Tj(R)) not already covered by some element oiTj(R). 

3 The most natural procedure for constructing R{T) ensures that every event in Tj(R) 
has rank j or less. 
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Now suppose that R is ./-bounded local. Since there are no 
feedback events for R, Tj(R) must not contain a feedback event. 
Since every event has rank j or less, Tj(R) must cover all events. 
This implies that Tj(R) covers R(Tj(R)). Finally, since all ex- 
tension events for R have rank j or less, every template in Tj(R) 
must have rank j or less. 



The recognition theorems follow directly from the above lemmas. A pro- 
cedure based on the above lemmas has been implemented and all claims 
made in this paper for the bounded-locality of particular rule sets have been 
mechanically verified. 



7 Additional Examples 

This section presents additional examples of bounded-local rule sets. These 
examples are intended to support the hypothesis that bounded-local rule sets 
are quite common and easily constructed. The examples are also intended 
to support the hypothesis that recognizing locality is usually difficult. 

Three examples of local rule sets are discussed above — a Boolean rule 
set B, an equality rule set E, and a monotonicity rule set M . Additional 
examples of bounded-local rule sets can be derived by considering various 
unions of these rule sets, e.g., MUB or MUBUE. It turns out that 
all such unions are bounded-local. In general, however, a union of local 
rule sets need not be local. Similarly, a subset of a local rule set need not 
be local. The locality of the various combinations of B, E, and M has 
been determined through mechanical verification. Except for the rule set 
B, which is 1-bounded-local, all combinations of rule sets B, E, and M are 
2-bounded-local. 

The next example is a rule set based on the syntactic structure of English 
under Montague semantics. The rules involve expressions of three differ- 
ent syntactic kinds: class expressions, specified noun phrases, and formulas. 
The expressions can be given a simple semantics in which each class expres- 
sion denotes a set, each formula denotes a truth value, and each specified 
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23 
24 


((every Ix) Ix) 

((every Ix) ly) 
((every ly) Iz) 


27 

28 
29 
30 


((some Ix) ly) 
((every ly) Iz) 


((some Ix) Iz) 
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((every Ix) Iz) 
((some Ix) ly) 


((every Ix) ly) 

((every (1R (some Ix))) (1R (some ly))) 




((some ly) Ix) 
((some Ix) ly) 


((every Ix) ly) 


26 


((every (1R (every ly))) (1R (every Ix))) 




((some Ix) Ix) 


((some Ix) ly) 



((every (1R (every ?x))) (1R (some ly))) 

Figure 2: A Natural Rule Set 

noun phrase denotes an operator that maps sets to truth values (a second 
order predicate). For example if x denotes a set then (every x) is a speci- 
fied noun phrase and denotes a second order predicate that is true of a set 
y just in case the set a; is a subset of the set y — a formula of the form 
((every a;) y) is true just in case x C y. Similarly, a formula of the form 
((some x) y) is true just in case some element of the set x is a member 
of the set y, i.e., just in case x D y is non-empty. For any binary rela- 
tion R, and class expression C, we let (R (some C)) and (R (every C)) 
be class expressions. For example, let kissed be a binary relation and let 
man and woman be class expression constants. We have the class expres- 
sions (kissed (some woman)) and (kissed (every woman)) and we have 
formulas such as ((every man) (kissed (some woman))), or alternatively, 
((some man) (kissed (every woman))). 

The meaning of expressions of the form (R (some C)) and (R (every C)) 
can be defined so that the above formulas have a natural meaning. The 
inference rules shown in figure 2 are sound under this natural semantics. 
Let N (for Natural) be the set of inference rules given in figure 2. A more 
complete discussion of natural language inference relations can be found in 
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[McAllester and Givan, 1989]. In the current context, the rule set N simply 
provides another example of a rule set that can be analyzed in terms of 
locality. Although TV is not a local rule set, the notion of locality can be used 
to construct a polynomial time decision procedure for the relation h^. First, 
to see that N is not local, note that by combining inference rules 25 and 30 
we get 

((some C) S) \~ N ((every (R (every S))) (R (some C))). 

However, the derivation involves the expression (some S), which does not 
appear in the statement of the inference problem, and we have 

((some C)S) \/ N ((every (R (every S))) (R (some C))). 



In spite of the fact that N is not local, the locality recognition procedure 
can be used to show that the relation \~n is polynomial time decidable. Let 
N' be the rule set constructed from N by replacing formulas of the form 
((every C) S) and ((some C) S) by formulas of the form (is-every C S) 
and (is-some C S) respectively. For any formula $ and set of formulas S 
we similarly define $' and £'. We now have that S \~ n $ if and only 
if S' \~n> $'• It now suffices to show that \~n> is polynomial time decid- 
able. But one can machine- verify the fact that N' is 4-bounded-local. The 
refined tractability lemma then implies that there exists an order n 3 decision 
procedure for the relation H^/. 



8 Applications to General Reasoning 

Sound and complete rule sets for semantically expressive languages are nec- 
essarily intractable. Assuming P ^ NP, the semantic entailment relation 
for propositional logic is not polynomial time decidable. The case is worse 
for full first order logic — if a rule set R is sound and complete for first order 
logic then \-r is not decidable. At first glance, it would seem that the notion 
of locality does not apply to such intractable rule sets. However, the notion 
of locality can be useful in constructing semi-automated verification systems 
for checking proofs under intractable rule sets. 
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Consider the quantifier-free predicate calculus with equality. The seman- 
tic entailment relation for quantifier-free predicate calculus is coNP-complete 
— so the relation is presumably intractable. However, consider the rule set 
BUE which is the union of the Boolean and equality rules given above. This 
rule set is local and thus ^bue is polynomial time decidable (it is actually 
decidable in order nlog 2 n time, or order nlogn time assuming that hash 
lookups take unit time). Although the relation \~ bue is not complete for 
quantifier-free logic, it seems quite powerful in practice. It is possible to con- 
struct a sequent proof system that is complete for quantifier-free logic based 
on the decidable relation \~bue- A proof in this system is a series of lines 
where each line is a sequent of the form Sh$. This proof system is "high- 
level" in the sense that individual lines in the proof can abbreviate inferences 
involving a large number of individual rule applications. The abbreviation 
of many inferences in a single line allows high-level proofs to be shorter than 
traditional proofs. The high-level system has two sequent rules. First, if 
2 ("bub $ then the line £ I- $ can be introduced without justification. 
Second, if the high-level proof contains lines SU* h $, and E U -<$ I- $, 
then one is allowed to add the line S h $. The resulting high-level proof 
system is semantically complete, i.e., if $ is semantically entailed by E then 
one can derive the sequent Sh$. The correctness of a series of sequents, 
i.e., the "proofhood" of a proposed high-level proof, can be quickly verified 
using the decision procedure for the relation \~bue- Most importantly, proofs 
in this high-level proof system can be much shorter than traditional proofs 
based on the same rule set. 

The high-level proof system just described for quantifier-free predicate 
calculus can be modified to yield high-level proof systems for full first order 
logic, or even Zermelo-Fraenkel set theory. A high-level proof system for first 
order logic is described in [McAllester et al, 1989]. A machine verified high- 
level proof of the Stone representation theorem for Boolean lattices, from 
the axioms of set theory, is described in [McAllester, 1989]. In this earlier 
work particular inference relations were shown to be polynomial time decid- 
able without using the general notion of locality or the mechanical locality 
recognition procedure. 

The various high-level proof systems described above are all based on the 
idea of separating an intractable inference relation into a combination of a 
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tractable rule set and a set of high-level sequent rules. Note that there is 
no requirement that the tractable rule set be semantically complete. This 
division should be done in a way that maximizes the power of the tractable 
rule set. In the case of first order logic, the power of the tractable rule set can 
be improved by using inference rules for a non-standard syntax. It appears 
that a syntax based on certain features of natural language is particularly 
effective. The use of natural language syntax in the construction of powerful 
high-level proof systems is discussed in more detail in [McAllester et al., 1989] 
and [McAllester and Givan, 1989]. 



9 Discussion 



Several technical questions remain unanswered. First, although the above 
procedure shows that ^-bounded locality is decidable for arbitrary rule sets, 
it is not known whether (unbounded) locality is decidable. Another open 
question regards inference relations rather than rule sets. An inference rela- 
tion will be called local if it is generated by some local rule set. It is possible 
for a rule set R to be non-local and yet the relation \-r is generated by some 
other rule set R' where R' is local — so the relation \-r can be local even 
though R is not. Given a rule set R can one determine if the relation \-r 
is local? We will say that a relation is ^-bounded- local if it is generated by 
some fc-bounded-local rule set. Can one determine if \- R is &-bounded-local? 

It seems likely that the definition of locality can be improved. Consider 
the "natural" rule set TV given above. This rule set is not local but a trivial 
syntactic transformation yields an essentially equivalent, but bounded-local, 
rule set TV'. In general, replacing formulas of the form (P s t) by formulas 
of the form ((P s) t), i.e., Currying the predicate P, can transform a local 
rule set into one that is not local. The fact that locality is sensitive to 
such trivial syntactic changes suggests that a more robust notion of locality 
is possible. Ideally, a definition of locality should have the property that 
locality of an arbitrary rule set is decidable, locality of a rule set guarantees 
that the generated inference relation is polynomial time decidable, and the 
class of local relations is closed under certain simple syntactic transformations 
such as Currying. 
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An improved notion of locality might also lead to improvements in the 
refined tractability lemma. Ideally, one should be able to mechanically recog- 
nize that the Boolean inference relation is linear time decidable rather than 
quadratic as the tractability lemma would indicate. Similarly, the single rule 
of transitivity generates a relation that is decidable in linear time, rather 
than cubic. In both of these examples the more efficient algorithm can be 
viewed as a tighter restriction on forward chaining inference. Automatic 
construction of a fast congruence closure algorithm is perhaps too much to 
expect — fast congruence closure is not simply a matter of tightening the 
restriction on forward chaining inference. However, it may be reasonable to 
invoke special case mechanisms for rule sets that include the equality rules 
as a subset. Hopefully, the framework presented in this paper is only a first 
step toward a more powerful, and more general, theory of tractable inference 
relations. 
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APPENDIX: The Lifting Lemma 

The lifting lemma can be stated as follows. 

Lifting Lemma: Let J? be a finite rule set and let T be a finite template set 
such that T covers all extension events for R of rank j or less. It is possible 
to compute a finite template set R(T) that covers all events of rank j + 1 or 
less. 

The template set R(T) can be constructed from R and T as follows. 

Definition: Let J? be a set of inference rules and let T be a set of event 
templates such that any individual metavariable appears in at most one rule 
or template (the rules and templates have all been resolved apart). We 
define R(T) to be the set of event templates that can be generated non- 
deterministically by the following procedure. 



1. Let 



6i 



be a rule in R and let <ai, \&i, Si, T x > . . . <a n , *„, S n , T n > be tem- 
plates in T such that there exists a metavariable substitution p such 
that p(&i) = />(*•') for 1 < i < n and ^(a,) = p(ctj) for 1 < i < j < n. 

2. Let p be the most general substitution satisfying the above conditions. 

3. Let a be the expression p(cti) for any a,-. 

4. Let {s x . . . Sfc} be the set of all top level proper subexpressions of /»($), 
i.e., proper subexpressions of /a($) that are not proper subexpressions 
of any (larger) proper subexpression of /»($). 

5. Let {ui . . . u m } and {ioi . . . w p } be disjoint sets whose union is {sx • • • -s^} 
and such that there exists a substitution p' such that p'{ui) = p'(a) for 
1 < i < m. 
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6. Let p' be the most general substitution satisfying the above conditions 
for the selected expressions u\ . . . u m . 

7. Let a' be p'(a). 

8. Let *' be p'(p($)). 

9. Let E' be //(/.(^.(S,-))). 

10. Let T' be the least subexpression closed set containing all of the fol- 
lowing: 

(a) All closed (variable-free) proper subexpressions of formulas that 
appear in the rule set R. 

(b) All proper subexpressions of E' 

(c) All sets of the form //(p(T,)) for 1 < i < n 

(d) All proper subexpressions of a'. 

(e) The expressions p'{w\) . . . p'(w p ). 

11. If a' is not a member of T' then output <a', $', E', T'>. 

Lemma: If T is a set of event templates for R then R(T) is also a set of 
event templates for R and if all templates in T have rank j or less then all 
templates in R(T) have rank j + 1 or less. 

Proof: Let <o/, $', E', T> be some tuple in R(T). An event template is 
just an event (which may contain metavariables) so we have to show that 
this tuple satisfies all of the conditions for being an extension event for R. 
Step 10 ensures that T' is subexpression closed and steps 10a and 10b ensure 
that T' contains Cl(R, E'). Step lOd, and the condition in step 11 that a' not 
be in T', ensure that a' is a one step extension of T'. Steps 3, 4, 5, 6, and 
lOe ensure that every immediate subexpression of $' is either a member of 
T' or is equal to a'. This guarantees that $' is a label formula of T' U a'. 

We must also show that the formula $' is a member of C^'' j+1 (E', T'). Let 
<<*i> ^i, Ei, Ti> . . . <a n , ^„, E n , T n > be the templates in T selected at step 
1 of the procedure. Let p" be the substitution that maps every expression e to 
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p'(p(e)) where p and p' are the substitutions constructed in steps 2 and 6 re- 
spectively. The construction of the substitution p' ensures that $' is derivable 
from p"($i) . . . p"($ n \ via a single inference rule. For each *,• we have that 
Wi is a member of C£ J (E,-, T,). Now we show that p"(C R (Zi, T,)) is a subset 
of Cfl(E', T'). Let be any formula in Cfl(£,-, T,) we must show that p"{Q) 
is a member of C R (E', V). Let D be a derivation of from £,• such that ev- 
ery formula in D is a label formula of T,. p"(D) is a derivation of p"(Q) from 
/?"(£). Furthermore, since every proper subexpression of every formula in D 
is a member of T,-, every proper subexpression of every formula in p"(D) is a 
member of T'. Thus p"(e) is a member of C fi (E', T'), and rho"{C R {Hi, T,)) 
is a subset of C fl (E',T'). Since *,- is a member of C£ J (E,-,T t ), there ex- 
ists a depth j derivation of />"(#;) from /9"(Ck(£,-, T,)). Since />"(C R (E,-, T.) 
is a subset of Cr(E', T'), there exists a depth j derivation of />"(*,) from 
Cfl(E', T'). An argument similar to the one above shows that every formula 
in this derivation is a label formula of T' U {a'} and thus p"(*,) is a member 
of C^'-^E', T'). But $' is derivable in one step from />"(* x) . . . p"(V n ) and 
thus $' must be a member of C£' J+1 (E', T'). □ 

Lemma: If T is a set of templates that covers all events with rank j or less, 
then R(T) covers all events of rank j + 1. 

Proof: Let £" be an extension event <a", $", E", T"> of rank j + 1 (the use 
of double primes allows the names used in this proof to agree with the names 
used in the above procedure). By definition, $" is a member of C£ J+1 (£, T) 
but not a member of C£* J (E,T). This implies that there exist formulas 
*;'... #£ in C£" J (E", T") and an inference rule r of the form 



6i 
0„ 



$ 



in R that allows $" to be derived from \P" . . . * £ by applying a substitution er 
to the inference rule. We have that <r(0.) = V'/ and <r($) = $". Let S" . . . S" n 
be the extension events <a",^'{,'E",r"> . . . <a",^,E",V> respectively 
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Each event S" has rank j or less and thus each £" is covered by some tem- 
plate in T. Let E x . . . £ n be templates <a x , #1, E x , T a > . . . <e* n , # n , E„, T n > 
that cover events 6" . ..£" n via substitutions pi ... p n respectively. We have 
assumed that no metavariable appears in more than one of r, Z\ ... £„. 
Therefore we can define a substitution r such that for any metavariable x, 
if x appears in r then t(x) equals er(x); if x appears in £,• then r(x) equals 
pi(x); otherwise r(x) equals x. We now have 

r(0.) = <t(0,-) = *;.' 
r(*.o = Pi m = *? 

r(a,) = /?,•(«,•) = a". 

Thus we have that r(0,) = r(*,) for 1 < i < n and r(ai) = t(o;j) for 
1 < i < i < «• So the substitution r satisfies all of the conditions given in 
step 1 of the procedure. Let p be the most general substitution satisfying 
these conditions, as constructed at step 2 of the procedure. 

The substitution p is at least as general as r. This implies that the 
substitution r can be written as p followed by another substitution r', i.e., 
for any expression e we have that r(e) equals r'(p(e)). Let a be p{ai) as 
defined in step 3 of the procedure. Since t'(/j(q;,)) equals r(o:,) which equals 
a", we have that t'{o) equals a". The expression r'( / o($)) equals r($) which 
equals $". Thus r'(/>($)) is a label formula of T" U {a"}. This implies 
that, for each immediate subexpression s of p($), we have that t'(s) either 
equals a" or is a member of T". Let u x . . . u k be the set of all immediate 
subexpression u of />($) such that r'(u) equals a". Let wi...w p be the 
set of immediate subexpressions w of />($) such that r'(w) is a member of 
T". Note that for each u,- we have that r'(u,) equals a" which equals r'(a). 
Thus r' is a substitution that satisfies the requirement of step 5. Let p' be 
the substitution defined in step 6 of the procedure, i.e., the most general 
substitution such that />'(«,-) = p'(a) for 1 < i < m. 

The substitution, p' at least as general as r'. As before, this implies that 
r' can be written as p' followed by another substitution r", i.e., for any ex- 
pression e, r'(e) equals T"(p'(e)). We now have that for any expression e, r(e) 
equals t"{p'( p (u)). Let a', $', £', and T be defined as in steps 7, 8, 9, and 10 
of the procedure, and let £' be the tuple <a', $', S', T'>. We will now show 
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that £' is an event template that covers the original event <ct", $", E", T"> 
via the substitution r". We have that r"(a') equals T"(p'(a)) which equals 
a". Similarly, r"($') equals $". Furthermore, a case analysis on steps 10a 
through lOd can be used to show that t"{V) is a subset of T". This implies 
that a' is not a member of T', otherwise we would have that r"(a') is a mem- 
ber of t"(T') and so a" would be a member of T" which violates the original 
condition that a" be a one-step extension of Y". Since a' is not a member 
of T' the tuple £' is output by the procedure and thus is a member of R(T). 
By the above lemma, £' is an event template. Finally, we must show that 
t"(£') is a subset of C*(E",T"). The set r"(E') equals Ui<,<„ r'V(p(S,))) 
which equals Ui<,<„T"(E t ). But by assumption, t{o- { ), which equals p,(E,), 
is a subset of C H (E", T"). □ 
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